Re: Am I hacked?

To: debian-user@lists.debian.org
Subject: Re: Am I hacked?
From: Mike Oliver <mike_lists@verizon.net>
Date: Thu, 16 Jun 2005 14:15:05 GMT
Message-id: <[🔎] JPfse.5960$1q5.5230@trnddc02>
In-reply-to: <4g1cE-1La-43@gated-at.bofh.it>
References: <[🔎] 002701c571ca$ee56de10$4f00a8c0@iGames01> <[🔎] 42B1092F.4040400@gw.unix-scripts.info> <[🔎] 026d01c57269$b99ec5d0$4f00a8c0@iGames01>

Michal Sedlak wrote:

But I thing bigger problem is this
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.

Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/login(-rwsr-xr-x)

matched the /bin/login on this machine.

Linux 2.4.17


--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.

Linux 2.4.17


It looks to me as though tiger checked only one possible version of each
of these commands.  Not too surprising you wouldn't match that particular
one.  I think you should run md5sum on those commands and check the output
against -- well, that I'm not too sure about, but someone must have the
official md5sums for sarge files, now that it's been released?

and this

# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
--WARN-- [rootkit004w] Chkrootkit has detected a possible rootkitinstallation
Warning: Possible LKM Trojan installed


chkrootkit has given me this false positive before, I forget why.
Get the detailed output from chkrootkit.

Reply to:

References:
- Am I hacked?
  - From: "Michal Sedlak" <sedlak@dfx.sk>
- Re: Am I hacked?
  - From: Laurent CARON <lcaron@gw.unix-scripts.info>
- Re: Am I hacked?
  - From: "Michal Sedlak" <sedlak@dfx.sk>

Prev by Date: Re: Adaptec Serial ATA RAID 1210SA
Next by Date: Mouse config
Previous by thread: Re: Am I hacked?
Next by thread: Re: Am I hacked?
Index(es):
- Date
- Thread